Commit b40db684 authored by Vlad Yasevich's avatar Vlad Yasevich

[SCTP]: Incorrect length was used in SCTP_*_AUTH_CHUNKS socket option

The chunks are stored inside a parameter structure in the kernel
and when we copy them to the user, we need to account for
the parameter header.
Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
parent 15efbe76
...@@ -5070,6 +5070,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len, ...@@ -5070,6 +5070,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
struct sctp_authchunks val; struct sctp_authchunks val;
struct sctp_association *asoc; struct sctp_association *asoc;
struct sctp_chunks_param *ch; struct sctp_chunks_param *ch;
u32 num_chunks;
char __user *to; char __user *to;
if (len <= sizeof(struct sctp_authchunks)) if (len <= sizeof(struct sctp_authchunks))
...@@ -5086,10 +5087,11 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len, ...@@ -5086,10 +5087,11 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
ch = asoc->peer.peer_chunks; ch = asoc->peer.peer_chunks;
/* See if the user provided enough room for all the data */ /* See if the user provided enough room for all the data */
if (len < ntohs(ch->param_hdr.length)) num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
if (len < num_chunks)
return -EINVAL; return -EINVAL;
len = ntohs(ch->param_hdr.length); len = num_chunks;
if (put_user(len, optlen)) if (put_user(len, optlen))
return -EFAULT; return -EFAULT;
if (copy_to_user(to, ch->chunks, len)) if (copy_to_user(to, ch->chunks, len))
...@@ -5105,6 +5107,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len, ...@@ -5105,6 +5107,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
struct sctp_authchunks val; struct sctp_authchunks val;
struct sctp_association *asoc; struct sctp_association *asoc;
struct sctp_chunks_param *ch; struct sctp_chunks_param *ch;
u32 num_chunks;
char __user *to; char __user *to;
if (len <= sizeof(struct sctp_authchunks)) if (len <= sizeof(struct sctp_authchunks))
...@@ -5123,10 +5126,11 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len, ...@@ -5123,10 +5126,11 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
else else
ch = sctp_sk(sk)->ep->auth_chunk_list; ch = sctp_sk(sk)->ep->auth_chunk_list;
if (len < ntohs(ch->param_hdr.length)) num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
if (len < num_chunks)
return -EINVAL; return -EINVAL;
len = ntohs(ch->param_hdr.length); len = num_chunks;
if (put_user(len, optlen)) if (put_user(len, optlen))
return -EFAULT; return -EFAULT;
if (copy_to_user(to, ch->chunks, len)) if (copy_to_user(to, ch->chunks, len))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment